Wednesday, 30 May 2012

How Do I Packet Filter Under Linux

How Do I Packet Filter Under Linux?
Linux kernels have had packet filtering since the 1.1 series. The first generation, based on ipfw from
BSD, was ported by Alan Cox in late 1994. This was enhanced by Jos Vos and others for Linux 2.0;
the userspace tool ‘ipfwadm’ controlled the kernel filtering rules. In mid-1998, for Linux 2.2, I
reworked the kernel quite heavily, with the help of Michael Neuling, and introduced the userspace tool
‘ipchains’. Finally, the fourth-generation tool, ‘iptables’, and another kernel rewrite occurred in
mid-1999 for Linux 2.4. It is this iptables which this HOWTO concentrates on.
You need a kernel which has the netfilter infrastructure in it: netfilter is a general framework inside
the Linux kernel which other things (such as the iptables module) can plug into. This means you need
kernel 2.3.15 or beyond, and answer ‘Y’ to CONFIG_NETFILTER in the kernel configuration.
The tool iptables talks to the kernel and tells it what packets to filter. Unless you are a
programmer, or overly curious, this is how you will control the packet filtering.
iptables
The iptables tool inserts and deletes rules from the kernel’s packet filtering table. This means that
whatever you set up, it will be lost upon reboot; see Making Rules Permanent for how to make sure
they are restored the next time Linux is booted.
iptables is a replacement for ipfwadm and ipchains: see Using ipchains and ipfwadm for how
to painlessly avoid using iptables if you’re using one of those tools.
Making Rules Permanent
Your current firewall setup is stored in the kernel, and thus will be lost on reboot. Writing
iptables-save and iptables-restore is on my TODO list. When they exist, they’ll be cool, I promise.
Meanwhile, put the command required to set up your rules in an initialization script. Make sure you do
something intelligent if one of the commands should fail (usually ‘exec /sbin/sulogin’).